Adding business logic to your tokens. What could possibly go wrong.

When working with an identity servers one of the first things we need to learn is the difference between an Id tokens and access tokens.

The fact that we can add additional claims to these tokens may seem nice adding a number of claims that are related to business logic may seem like a great feature for your application you wont need to look up this information all the time. However there needs to be a limit and in fact there is. Adding large numbers of claims to tokens where they don't belong can also cause some problems for your application in the long run and can also be a security risk.